Apache Traffic Server Vulnerabilities Let Attackers Trigger DoS Attack

The Apache Software Foundation has issued emergency security updates for its Apache Traffic Server (ATS), patching two severe vulnerabilities.

ATS operates as a high-performance web proxy cache that improves network efficiency and handles massive volumes of enterprise web traffic.

These newly discovered flaws stem from how the server processes HTTP requests with message bodies.

If left unpatched, remote attackers can exploit these weaknesses to trigger Denial-of-Service (DoS) conditions or execute complex HTTP request smuggling attacks against enterprise networks.

Apache Traffic Server Vulnerabilities

The most disruptive flaw is tracked as CVE-2025-58136. Security researcher Masakazu Kitajo discovered that a simple, legitimate HTTP POST request can cause the entire ATS application to crash.

Because POST requests are standard methods for submitting data to a web server, this vulnerability is highly accessible to remote attackers.

When exploited, the crash results in an immediate Denial-of-Service attack, bringing down the proxy server and blocking access for all legitimate users relying on that infrastructure.

The second vulnerability, designated as CVE-2025-65114, was identified by security researcher Katsutoshi Ikenoya.

This flaw centers on how the Apache Traffic Server handles malformed chunked message bodies during data transmission. Attackers can exploit this improper handling to achieve HTTP request smuggling.

This advanced attack technique enables malicious actors to manipulate the processing of sequences of HTTP requests, bypassing security controls to poison web caches or gain unauthorized access to sensitive data on downstream servers.

These vulnerabilities impact multiple active branches of the Apache Traffic Server. According to the official security advisory, the affected software includes ATS versions 9.0.0 through 9.2.12, as well as versions 10.0.0 through 10.1.1.

Administrators managing these specific versions must take immediate action to secure their network environments against potential exploitation.

The Apache Software Foundation strongly recommends that all administrators upgrade their installations to the latest secure releases.

Users operating on the 9.x branch should update to version 9.1.13 or later. Meanwhile, organizations utilizing the 10.x branch must upgrade to version 10.1.2 or newer to completely eliminate the threat.

For teams that cannot immediately apply the software updates, a temporary workaround exists for the DoS vulnerability (CVE-2025-58136).

Administrators can stop the crash by setting the proxy.config.http.request_buffer_enabled parameter to 0. Fortunately, this is already the default value in the system configuration, meaning many servers may already be protected from the crash.

However, there is absolutely no workaround available for the request smuggling vulnerability (CVE-2025-65114). Consequently, a full software upgrade remains the only effective strategy to secure the server environment against both threats.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.